'Cyber incident' affected flight planning

While ForeFlight reported in a November 6 blog post that notam services and chart updates had been "restored," a Boeing  spokesperson said ForeFlight was never directly affected, but rather used as a conduit for information directed at Jeppesen customers. An alert posted on Jeppesen’s website was updated on November 9:

"On November 2, Jeppesen experienced a cyber incident affecting certain products and services. We immediately initiated an incident response process and are working to reactivate individual products to our hosted production environment," Jeppesen said. "We continue to work to restore full functionality to all of our products and services."

By November 10, the website had been updated again, offering additional information:

"The most recent Jeppesen chart downloads available in Jeppesen Mobile FliteDeck and ForeFlight Mobile are currently effective and in compliance with applicable regulatory requirements. Any 'Expired' messages shown for Jeppesen Terminal Charts prior to Dec. 1st do not indicate that the charts are expired from a regulatory perspective," Jeppesen wrote, offering additional details on a "Digital Aviation Incident Response" page. 

Boeing purchased Jeppesen for $1.5 billion in 2000, acquiring a storied brand that, at the time, claimed an 80-percent market share in aircraft navigational products.

Boeing provided a statement November 9 addressing the outages: "Our subsidiary, Jeppesen, experienced a cyber incident affecting certain flight planning products and services. There has been some flight planning disruption, but at this time we have no reason to believe that this incident poses a threat to aircraft or flight safety. We are in communication with customers and regulatory authorities, and working to restore full service as soon as possible."

Boeing declined to describe the nature of the attack against the computer systems of its subsidiaries, its scope, or when full restoration was expected. Meanwhile, pilots are encouraged to exercise caution to avoid use of out-of-date navigation products for instrument flight.

FAA Advisory Circular 90-100A, which covers U.S. terminal and en route area navigation (RNAV) operations, states, "the onboard navigation data must be current and appropriate for the region of intended operation and must include the navigation aids, waypoints, and relevant coded terminal airspace procedures for the departure, arrival, and alternate airfields."

Aviation author, pilot, and YouTube personality Rich Pickett of Personal Wings Inc. talked about the outage on his channel and told AOPA, "If you're VFR, while there can be a safety issue flying with an expired GPS database, it's not regulatory. For IFR, it is regulatory. The database must be current, or it must be verified by an alternate source, like FAA charts for en route use. For IFR terminal procedures, they must verify that the procedures haven't changed from the last cycle by cross verifying with FAA charts. If the waypoint data has changed, you cannot use the RNAV approach; if only the altitudes have changed, then it is OK. However, changes in crossing altitudes and minimums may create significant safety issues, especially with autopilot-coupled approaches. In other words, it adds to the pilot workload and impacts safety."

AOPA Pilot Information Center staff have fielded inquiries or reports of unavailable services from members, though AOPA has not been able to learn more details about the nature of the cyber incident, or when services would be fully restored.

Cyber security remains an ongoing concern across aviation, ranging from nuisance incidents such as the denial-of-service attack that took several airport websites offline in October, to ransomware attacks targeting airlines. The European Organization for the Safety of Air Navigation reported in 2021 that cyber "attacks are up in all threat categories," amounting to a 530 percent year-over-year increase.